Healthcare Organizations: How To Protect Against Electronic Privacy Breaches

No business is immune to data breaches…and that includes the healthcare industry, which has seen an 18 percent increase in breaches since 2015, when the U.S. Department of Health and Human Services Office for Civil Rights started publishing major breaches it was investigating.

This is mainly because provider organizations struggle to meet the requirement to notify parties affected by a breach within 60-days. Delays—and therefore, non-compliance—typically stem from manual, inefficient processes for the initial reporting of events, risk assessment and breach determination, as well as the notification process itself.

That being said, provider organizations can typically ask the following two questions of their businesses to determine whether they are in good shape to be compliant with cybersecurity and privacy regulations or whether room for improvement exists:

If you answered “no” to question one or are perhaps unaware certain processes can be automated, as indicated in question two, room for improvement exists. But the good news is risk management technology also exists that helps to automate the risk management process across the enterprise—including risks that can impact your cybersecurity and patient privacy efforts.

The benefits of such features will likely include: improved HIPAA compliance with breach notification lag performance analysis; reduced time needed to comply with OCR reporting requirements; and easier notification of affected parties.

When it comes to notifying affected parties, specifically, the right risk management technology will automate the entire process with mail merge capabilities that can integrate with affected party contact and other data. Pre-built, customized notification letter templates also simplify the process. All of this makes it less onerous to generate the required notifications, particularly when hundreds or thousands of affected people can be involved.

In addition, automation can also document these activities for you—adding date and time stamps to letter generation and even automatically appending copies of generated letters to patient contact records in your system, making it easy to demonstrate compliance if investigated by the OCR.

While the recent changes to the OCR HIPAA Breach Reporting Tool are fairly minor organizational and cosmetic improvements, other federal agencies, like the Occupational Health and Safety Administration, have made more significant improvements to compliance reporting with the launch of electronic submission portals. More than likely, it’s only a matter of time before HHS OCR follows suit. Thus, as HHS OCR works to bring HIPAA reporting up to the 21st century, healthcare providers need to ensure that they are following suit.